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DETAILED ACTION 



This first non-final action is in response to the original filing of 05/19/2004. Claims 1-18 
are pending and have been considered as follows. 

Examiner's Note 

1 . The Applicant appears to be attempting to invoke 35 U.S.C. 1 12 6 th paragraph in Claims 
7, 1 1, 12, 13, 17, & 18 by using "means-plus-fiinction" language. However, the Examiner notes 
that the only "means" for performing these cited functions in the specification appears to be 
computer program modules. While the claims pass the first test of the three-prong test used to 
determine invocation of paragraph 6, since no other specific structural limitations are disclosed 
in the specification, the claims do not meet the other tests of the three-prong test. Therefore, 35 
U.S.C. 1 12 6 th paragraph has not been invoked when considering these claims below. 

Claim Objections 

2. Claims 5, 1 1, & 17 are objected to because of the following informalities: 

- Claims 5, 1 1, & 17, on line 3 of each, recite what appears to have been a typographical 
error, "less" which appears that the applicant meant to be, . .greater. . ." Appropriate 
correction is required. 
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Claim Rejections - 35 USC§ 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 1,2, 4, 5, 7, 8, 10, 1 1, 13, 14, 16, & 17 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Vaidya (US-62791 13-B1). 

Claims 1,7,& 13: 

Vaidya discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system comprising, 

- "determining an initial system certainty value for the computer system" (i.e. "attack 
signature profiles to the data collectors 10 based on the network configuration") [column 
5 lines 31-33]; 

- "providing access to a database of signatures" (i.e. "the data repository 12 includes a 
database handler 26 which polls the data collectors 10 for intrusion detection data and 
stores the data for future reference") [column 5 lines 47-50]; 

- "each signature including a signature certainty value" (i.e. "The attack signature profile 
type can be either simple, sequential or a timer/counter based") [column 7 lines 2-4]; 

- "receiving data" (i.e. "The remote network 24 is connected to the LAN 1 1 and is 
equipped with a data collector 10 which monitors work stations located on the remote 
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network 24 and transmits network security data specific to the remote network back to 
the data repository 12. Both the remote network 24 and the LAN 1 1 are connected to the 
global communications network referred to as the Internet") [column 5 lines 39-46]; 

- "comparing the received data with the database of signatures" (i.e. "The attack signature 
profiles are adapted for detecting network data patterns associated with network 
intrusions which include unauthorized attempts to access network objects, unauthorized 
manipulation of network data, including data transport, alteration or deletion, and 
attempted delivery of malicious data packets capable of causing a malfunction in a 
network object") [column 5 lines 33-39]; 

- "filtering the data based on the system certainty value and the signature certainty value of 
a signature matching the received data" (i.e. "If in step 64 the data collector 10 
determines that the data packet is not associated with a network intrusion, the data 
collector continues to monitor data in step 58. If a network intrusion is detected, the 
reaction module is notified in step 66. The reaction module 38 takes steps to trace the 
application session associated with the data packet, to terminate the session, and/or to 
notify the network administrator") [column 7 lines 4-1 1]; 

but Vaidva does not explicitly disclose, 

- "increasing the system certainty value if the received data does not match a signature in 
the database" 

- "decreasing the system certainty value if the received data matches a signature in the 
database" 
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however, Vaidya does disclose, 

- " A timer/counter based attack signature profile directs the virtual processor 36 to execute 
instructions associated with a single expression on every data packet associated with a 
particular application session to determine whether an event has occurred a threshold 
number of times within a predetermined time interval" [column 8 lines 16-21]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "increasing the system certainty value if the received data does 
not match a signature in the database" and "decreasing the system certainty value if the received 
data matches a signature in the database," in the invention as disclosed by Vaidya for the 
purposes of determining whether a particular event has occurred a threshold number of times. 
Claims 2, 8, & 14: 

Vaidya discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system, as in Claims 1, 7, & 13 above 
respectively, but do not explicitly disclose, 

- "the data that does not match a signature in the database is forwarded to its destination" 
however, Vaidya does disclose, 

- "indicating which network objects are not permitted to access other network objects" 
[column 6 lines 34-35]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the data that does not match a signature in the database is 
forwarded to its destination," in the invention as disclosed by Vaidva since the recitation of 
network objects not being permitted access to other network objects would imply that under any 
other condition, network objects would be permitted access. 
Claims 4, 10, & 16: 

Vaidva discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system, as in Claims 1, 7, & 13 above 
respectively, further comprising, 

- "the data comprises a packet of data" (i.e. "data packets") [column 5 line 38]. 
Claims 5, 11, & 17: 

Vaidva discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system, as in Claims 1, 7, & 13 above 
respectively, but do not explicitly disclose, 

- "the filtering further comprises forwarding the data if the signature certainty value is less 
than the system certainty value" 

- "the filtering further comprises discarding the data if the signature certainty value is less 
than the system certainty value" 

however, Vaidva does disclose, 

- "indicating which network objects are not permitted to access other network objects" 
[column 6 lines 34-35]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the filtering further comprises forwarding the data if the 
signature certainty value is less than the system certainty value" and "the filtering further 
comprises discarding the data if the signature certainty value is less than the system certainty 
value," in the invention as disclosed by Vaidya since the recitation of network objects not being 
permitted access to other network objects would also imply that under any other condition, 
network objects would be permitted access. In addition, the invention disclosed by Vaidya 
includes determining malicious data packets based on signature thresholds which would be 
understood as permitting access if under one set of conditions (i.e. signature certainty value less 
than) and refusing access under all other conditions (i.e. signature certainty value greater than). 
5. Claims 3, 6, 9, 1 1, 15, & 18 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vaidya (US-62791 13-B1) in view of Moran (US-70321 14-B1). 
Claims 3, 9, & 15: 

Vaidya discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system, as in Claims 1, 7, & 13 above 
respectively, but do not disclose, 

- "the increased or decreased certainty value becomes the initial system value" 
however, Moran does disclose, 

- "the high false positive rate typical of the real-time systems is reduced by filtering out 
false alerts using a broader range of information than the IDS can retain, and by allowing 
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the alert threshold to be set higher, because the inventive system can recover information 
about a suspicious session that occurred before the threshold was crossed" [column 8 
lines 39-44]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the increased or decreased certainty value becomes the initial 
system value," in the invention as disclosed by Vaidya for the purposes of readjusting the 
threshold to reduce the possibility of a false positive under conditions which are applicable. 
Claims 6, 12, & 18: 

Vaidya discloses a method, system, and computer recording medium including computer 
executable code for maintaining security of a computer system, as in Claims 5, 1 1, & 1 7 above 
respectively, but do not disclose, 

- "the step of forwarding further comprises generating a message log to indicate that data 
matching a signature was forwarded" 

however, Moran does disclose, 

- "an intrusion detection system comprises a mechanism for checking timestamps, 
configured to identify backward and forward time steps in a log file, filter out expected 
time steps, correlate them with other events, and assign a suspicion value to a record 
associated with an event" [column 4 lines 28-33]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the step of forwarding further comprises generating a message 
log to indicate that data matching a signature was forwarded," in the invention as disclosed by 
Vaidya for the purposes of recording timed information for future further analysis. 
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Conclusion 



6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at 571-272-4195. The fax phone number for 
Formal or Official faxes to Technology Center 2100 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



OAL 
08/17/2007 



Nasser Moazzami 
Supervisory Patent Examiner 




